CRA Glossary – the Central Terms of the Cyber Resilience Act
The Cyber Resilience Act (Regulation (EU) 2024/2847) comes with its own vocabulary – from "product with digital elements" through "Module H" to the "Single Reporting Platform". This glossary explains the roughly two dozen most important terms concisely and in alphabetical order, each with a reference to the relevant article or annex. It provides general technical and organisational explanations, not legal advice; the definitions are explanatory, not binding.
Annex I (essential requirements)
Annex I is the substantive core of the CRA. Part I lists the essential cybersecurity requirements for the product itself (e.g. secure default configuration, attack-surface minimisation, protection of confidentiality and integrity). Part II sets out the requirements for vulnerability handling throughout the support period. Breaches of Annex I fall into the highest penalty tier (up to €15 million or 2.5 % of worldwide annual turnover, Art. 64).
Annex III (important products, Class I/II)
Annex III lists the "important" products with elevated risk. Class I includes, for example, password managers, browsers, VPNs, anti-malware, network management, SIEM, operating systems and routers/modems/switches. Class II is stricter and covers hypervisors and container runtimes, firewalls/IDS/IPS and tamper-resistant microprocessors. For classification details see CRA product classes.
Annex IV (critical products)
Annex IV names the "critical" products with the highest risk, such as hardware security modules (HSM), smart-meter gateways with secure cryptoprocessors, and smart cards / secure elements. For this category, the Commission may require a European cybersecurity certification scheme (at least the "substantial" level, Art. 32(4)). The technical category descriptions are provided by Implementing Regulation (EU) 2025/2392.
Annex VII (technical documentation)
Annex VII defines the content of the technical documentation: product description; design, development and production processes; vulnerability handling including architecture, SBOM and CVD policy; the risk assessment mapped to Annex I; support-period information; applied standards; and a copy of the EU declaration of conformity. It must be retained for at least ten years or for the duration of the support period.
Authorised representative
An authorised representative (Art. 18) is a person established in the EU whom a manufacturer appoints by written mandate. They keep the EU declaration of conformity and the technical documentation available for authorities and assist with certain obligations. However, they cannot take over the manufacturer's core duties under Art. 13 (e.g. conformity assessment, vulnerability handling).
CE marking
The manufacturer affixes the CE marking (Art. 30) to declare that the product meets the CRA's essential requirements. It may only be affixed after a successful conformity assessment, the drawing up of the technical documentation and the issuing of the EU declaration of conformity. The CE obligation takes effect with the CRA's general application on 11 December 2027.
Conformity assessment
Conformity assessment (Art. 32, Annex VIII) is the procedure that demonstrates a product meets the essential requirements. The permitted route depends on the product class: default products self-assess (Module A), whereas Class II and critical products always require third-party assessment. Whether your product is affected can be gauged via the affectedness check.
Coordinated Vulnerability Disclosure (CVD)
Coordinated Vulnerability Disclosure is an orderly process through which security researchers and third parties can report vulnerabilities to the manufacturer before they become public. The CRA makes a CVD policy mandatory for manufacturers (Annex I Part II), including a contact address for reports. Already-remediated vulnerabilities are publicly disclosed once an update is available.
CSIRT
A CSIRT (Computer Security Incident Response Team) is the governmental response body designated by each member state under NIS2. Under the CRA, the coordinating CSIRT acts as the recipient of manufacturer reports under Art. 14 – together with ENISA via the Single Reporting Platform. The relevant coordinating CSIRT is designated under Art. 15.
Distributor
A distributor (Art. 20) makes a product available on the market without being the manufacturer or importer. They act with due care and verify in particular that the CE marking is present and that the manufacturer or importer has met their obligations. They must not make non-conforming products available, take corrective action where needed and inform the parties involved.
ENISA Single Reporting Platform
The Single Reporting Platform (Art. 16) is the central platform operated by ENISA through which manufacturers submit their reports under Art. 14. It forwards early warnings, notifications and final reports to the coordinating CSIRT. The platform is intended to be operational by 11 September 2026 – aligned with the start of the reporting obligations.
EU declaration of conformity
The EU declaration of conformity (Art. 28, Annex V) is the document in which the manufacturer declares, under sole responsibility, that the product meets the essential requirements. It states, among other things, product identification, the manufacturer or authorised representative, the standards applied and – where relevant – the notified body with procedure and certificate. It must be retained together with the technical documentation.
Harmonised standards
Harmonised standards are European standards drawn up under a Commission mandate; their full application creates a presumption of conformity for the requirements they cover. If they (or common specifications or a certification scheme) are fully applied to a Class I product, self-assessment under Module A suffices (Art. 32(2)). Where they are absent, third-party assessment is required for Class I.
Importer
An importer (Art. 19) places products from a third country on the EU market. They may place only conforming products on the market and verify that the conformity assessment has been carried out, the technical documentation drawn up and the CE marking affixed. They do not perform the conformity assessment themselves but inform manufacturers of vulnerabilities and authorities of significant risks.
Manufacturer
The manufacturer (Art. 13) bears the bulk of the CRA obligations: meeting Annex I Part I, vulnerability handling under Part II, risk assessment, technical documentation (Annex VII), conformity assessment (Art. 32), EU declaration of conformity (Art. 28), CE marking (Art. 30) and reporting (Art. 14). The support period must be at least five years (or the shorter expected use).
Market surveillance
Market surveillance rests with the authorities designated by the member states, which check and enforce compliance with the CRA. They can request the technical documentation and SBOM on a reasoned request, require corrective action and remove non-conforming products from the market. Incorrect, incomplete or misleading information to market surveillance authorities can be penalised with up to €5 million or 1 % (Art. 64).
Modules A / B+C / H
The modules denote the various conformity assessment procedures. Module A is internal self-assessment without a notified body. Module B (EU type-examination by a notified body) is combined with Module C (conformity to type); Module H assesses the full quality-assurance system. Class II and critical products must always go through B+C or H (or a certification scheme).
NIS2 (delimitation)
NIS2 (Directive (EU) 2022/2555) regulates the cybersecurity of operators and services, not of products. The CRA and NIS2 are complementary: standalone SaaS or pure cloud services generally fall outside the CRA and under NIS2 instead. Remote data processing is only within CRA scope where it is an integral part of a product with digital elements.
Notified body
A notified body is an independent conformity assessment body notified by an authority that carries out assessments under Module B (EU type-examination) or Module H. It is mandatory only for Class II products (Annex III) and critical products (Annex IV) – the vast majority of products self-assess. The provisions on notified bodies (Art. 35–51) already apply from 11 June 2026.
Open-source steward
An open-source steward (Art. 24, definition Art. 3(14)) is a legal person that systematically supports the development of free and open-source products with digital elements with a view to commercial activity, without itself being a manufacturer. A light-touch regime applies: a documented cybersecurity policy, cooperation with authorities and a limited slice of the reporting obligations. Steward duties trigger neither CE marking nor administrative fines.
Product with digital elements (PDE)
A product with digital elements (Art. 3(1)) is a software or hardware product including its remote data processing solutions, as well as components placed on the market separately. Application is triggered by a direct or indirect logical or physical data connection to a device or network (Art. 2(1)). The PDE is the central point of reference for the entire CRA.
Remote data processing
Remote data processing (Art. 3(2)) means cloud or back-end solutions whose absence would prevent a product function and that are provided by the manufacturer or under its responsibility. Such integral remote processing solutions are within CRA scope as part of the product with digital elements. Standalone SaaS offerings, by contrast, are generally not covered (see NIS2).
Reporting duty (Art. 14)
Under Art. 14, the manufacturer must report actively exploited vulnerabilities and severe security incidents to the coordinating CSIRT and ENISA. The deadlines are staggered: an early warning within 24 hours, a notification within 72 hours, and a final report within 14 days of a fix becoming available (vulnerability) or within one month of the notification (incident). The reporting obligations apply from 11 September 2026.
SBOM (Software Bill of Materials)
An SBOM is a machine-readable inventory of a product's software components. Annex I Part II requires an SBOM in a commonly used, machine-readable format covering at least top-level dependencies. The Regulation does not prescribe a specific format; recognised formats such as CycloneDX, SPDX or SWID satisfy the requirement. The SBOM is evidence for authorities on a reasoned request, not an obligation to publish it publicly.
Support period
The support period is the span during which the manufacturer must handle vulnerabilities and provide security updates. It is at least five years, unless the expected use is shorter. Technical documentation and the EU declaration of conformity must be retained for at least ten years or for the duration of the support period – whichever is longer.
Technical documentation
The technical documentation is the written evidence of conformity and follows Annex VII in content (see the separate entry above). It forms the basis for the conformity assessment, EU declaration of conformity and CE marking. Market surveillance authorities can request it on a reasoned request.
Vulnerability handling (Annex I Part II)
Vulnerability handling covers the obligations throughout the support period: identifying and documenting vulnerabilities and components (including an SBOM), remediating them without delay via security updates, testing regularly, disclosing fixed vulnerabilities and enforcing a CVD policy. Security updates must be provided without delay and free of charge and – where feasible – separated from feature updates.
Let's talk about your CRA readiness
Unsure which CRA terms matter for your product? Blackfort Technology classifies your products correctly and derives the right conformity route – check your affectedness or get in touch with us.
Request a first call Check eligibility